Wedmer
commented
5 years ago Still actual?
Closed muggenhor closed 5 years ago
Wedmer
commented
5 years ago Still actual?
Wedmer
commented
5 years ago No feedback, closed.
When connecting to a WebDAV server with a self-signed or CACert.org signed certificate a warning is (justly) shown. Unfortunately it doesn't remember that certificate's hash so you have to reaccept it the next time.
Verifying the hash manually once isn't a real problem, having to do so over and over again is. (Also if you're going to do a hash comparison, instead of a complete byte-wise comparison, it should be the SHA-1 hash, not the MD5, because MD5 is broken for forging-prevention).
Another possibility might be to use certificate pinning for CA-signed certs as well possibly combined with something like http://tack.io/, though I'm mostly just thinking out loud there.